mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
deploy: Add KMS configuration to Ceph FS
Adds necessary KMS configuration based on the RBD configuration to use Ceph FS with fscrypt Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
parent
4788d279a5
commit
0e66c3211a
@ -117,6 +117,12 @@ spec:
|
|||||||
fieldPath: spec.nodeName
|
fieldPath: spec.nodeName
|
||||||
- name: CSI_ENDPOINT
|
- name: CSI_ENDPOINT
|
||||||
value: unix:///csi/csi-provisioner.sock
|
value: unix:///csi/csi-provisioner.sock
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
# - name: KMS_CONFIGMAP_NAME
|
||||||
|
# value: encryptionConfig
|
||||||
imagePullPolicy: "IfNotPresent"
|
imagePullPolicy: "IfNotPresent"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
@ -134,6 +140,8 @@ spec:
|
|||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
- name: keys-tmp-dir
|
- name: keys-tmp-dir
|
||||||
mountPath: /tmp/csi/keys
|
mountPath: /tmp/csi/keys
|
||||||
|
- name: ceph-csi-encryption-kms-config
|
||||||
|
mountPath: /etc/ceph-csi-encryption-kms-config/
|
||||||
- name: liveness-prometheus
|
- name: liveness-prometheus
|
||||||
image: quay.io/cephcsi/cephcsi:canary
|
image: quay.io/cephcsi/cephcsi:canary
|
||||||
args:
|
args:
|
||||||
@ -178,3 +186,6 @@ spec:
|
|||||||
emptyDir: {
|
emptyDir: {
|
||||||
medium: "Memory"
|
medium: "Memory"
|
||||||
}
|
}
|
||||||
|
- name: ceph-csi-encryption-kms-config
|
||||||
|
configMap:
|
||||||
|
name: ceph-csi-encryption-kms-config
|
||||||
|
@ -74,6 +74,12 @@ spec:
|
|||||||
fieldPath: spec.nodeName
|
fieldPath: spec.nodeName
|
||||||
- name: CSI_ENDPOINT
|
- name: CSI_ENDPOINT
|
||||||
value: unix:///csi/csi.sock
|
value: unix:///csi/csi.sock
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
# - name: KMS_CONFIGMAP_NAME
|
||||||
|
# value: encryptionConfig
|
||||||
imagePullPolicy: "IfNotPresent"
|
imagePullPolicy: "IfNotPresent"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
@ -104,6 +110,8 @@ spec:
|
|||||||
mountPath: /tmp/csi/keys
|
mountPath: /tmp/csi/keys
|
||||||
- name: ceph-csi-mountinfo
|
- name: ceph-csi-mountinfo
|
||||||
mountPath: /csi/mountinfo
|
mountPath: /csi/mountinfo
|
||||||
|
- name: ceph-csi-encryption-kms-config
|
||||||
|
mountPath: /etc/ceph-csi-encryption-kms-config/
|
||||||
- name: liveness-prometheus
|
- name: liveness-prometheus
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
@ -173,6 +181,9 @@ spec:
|
|||||||
hostPath:
|
hostPath:
|
||||||
path: /var/lib/kubelet/plugins/cephfs.csi.ceph.com/mountinfo
|
path: /var/lib/kubelet/plugins/cephfs.csi.ceph.com/mountinfo
|
||||||
type: DirectoryOrCreate
|
type: DirectoryOrCreate
|
||||||
|
- name: ceph-csi-encryption-kms-config
|
||||||
|
configMap:
|
||||||
|
name: ceph-csi-encryption-kms-config
|
||||||
---
|
---
|
||||||
# This is a service to expose the liveness metrics
|
# This is a service to expose the liveness metrics
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -3,3 +3,46 @@ apiVersion: v1
|
|||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: cephfs-csi-nodeplugin
|
name: cephfs-csi-nodeplugin
|
||||||
|
namespace: default
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-nodeplugin
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["nodes"]
|
||||||
|
verbs: ["get"]
|
||||||
|
# allow to read Vault Token and connection options from the Tenants namespace
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumes"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["volumeattachments"]
|
||||||
|
verbs: ["list", "get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts/token"]
|
||||||
|
verbs: ["create"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: cephfs-csi-nodeplugin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: cephfs-csi-nodeplugin
|
||||||
|
# replace with non-default namespace name
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: cephfs-csi-nodeplugin
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
@ -3,6 +3,7 @@ apiVersion: v1
|
|||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: cephfs-csi-provisioner
|
name: cephfs-csi-provisioner
|
||||||
|
namespace: default
|
||||||
|
|
||||||
---
|
---
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
@ -10,9 +11,12 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||||||
metadata:
|
metadata:
|
||||||
name: cephfs-external-provisioner-runner
|
name: cephfs-external-provisioner-runner
|
||||||
rules:
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["nodes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
verbs: ["get", "list"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["events"]
|
resources: ["events"]
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
verbs: ["list", "watch", "create", "update", "patch"]
|
||||||
@ -22,6 +26,9 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["persistentvolumeclaims"]
|
resources: ["persistentvolumeclaims"]
|
||||||
verbs: ["get", "list", "watch", "update"]
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumeclaims/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
- apiGroups: ["storage.k8s.io"]
|
- apiGroups: ["storage.k8s.io"]
|
||||||
resources: ["storageclasses"]
|
resources: ["storageclasses"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
@ -37,15 +44,21 @@ rules:
|
|||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
resources: ["volumesnapshotclasses"]
|
resources: ["volumesnapshotclasses"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims/status"]
|
|
||||||
verbs: ["update", "patch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
- apiGroups: ["storage.k8s.io"]
|
||||||
resources: ["csinodes"]
|
resources: ["csinodes"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
resources: ["volumesnapshotcontents/status"]
|
resources: ["volumesnapshotcontents/status"]
|
||||||
verbs: ["update", "patch"]
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts"]
|
||||||
|
verbs: ["get"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts/token"]
|
||||||
|
verbs: ["create"]
|
||||||
---
|
---
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
@ -68,6 +81,9 @@ metadata:
|
|||||||
namespace: default
|
namespace: default
|
||||||
name: cephfs-external-provisioner-cfg
|
name: cephfs-external-provisioner-cfg
|
||||||
rules:
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
resources: ["leases"]
|
resources: ["leases"]
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||||
|
Loading…
Reference in New Issue
Block a user